Modeling Large S-box in MILP and a (Related-Key) Differential Attack on Full Round PIPO-64/128

The differential characteristic search problem is converted into mixed integer linear programming (MILP) model to get the bound against differential attack. The difference distribution table is used to write the linear inequalities for MILP modeling of S-box. To construct a reduced set of such inequalities, we present the approaches based on Quine-McCluskey(QM) and Espresso algorithms that are used for active S-box minimization and probability optimization respectively. These approaches are used to search the differential characteristics for lightweight block cipher PIPO-64/128. There are 20621 inequalities in 23 variables corresponding to possible difference transitions in the DDT and these are minimized to 6035 inequalities. MILP model based on these inequalities is used to optimize the probability of differential and impossible differential characteristics for PIPO-64/128 reduced to 9 and 4 rounds respectively. We construct an iterative 2-round related-key differential characteristic with the probability of 2(-4) and that is used to present a full round related-key differential distinguisher with the probability of 2(-24). We develop a key recovery attack using related keys on full round PIPO-64/128 with the data complexity of 2(32). We present a major collision in PIPO-64/128 which produces the same ciphertext (C) by encrypting the plaintext (P) under two different keys.